UPDATE: HHS PUBLISHED CLARIFICATIONS REGARDING THIS $6.50 PROVISION. PLEASE READ THESE IMPORTANT UPDATES HERE.
After the March 23 webinar on this important topic, clients still had very specific questions about the new, additional guidelines. Here are some of the Q&A for your review.
On February 25th, 2016, the Office of Civil Rights (OCR) and Health and Human Services (HHS) released a FAQ document providing additional guidance on existing regulations regarding a patient’s “right to access” their health information. This guidance centered around three main points: the acceptable delivery formats based on the request type, a reasonable cost-based fee may be charged for records and the right for the patient to direct their health information be sent to a third party.
In an effort to share information regarding this FAQ, DataFile hosted a webinar for our clients on March 23, 2016. The webinar may be viewed here. Please note that the information provided in the webinar and this post is not intended to be nor should be considered as legal advice.
A high-level overview of the main guidance of the FAQ includes:
- Delivery formats of PHI
- Covered Entities (CE) and Business Associates (BA) should make a strong effort to fulfill the records in the format requested by the patient
- If records are maintained electronically, it is expected that the CE or BA can fulfill a request for records to be delivered electronically. At a minimum, CE and BA organizations should be able to provide records delivered via email. Unencrypted email is an acceptable means of electronic transmission if and only if the patient has acknowledged the inherent risks of unencrypted transmission.
- Reasonable, cost-based fee for information
- For electronic copies of health information maintained electronically, a maximum charge of $6.50 applies.
- A patient’s right to direct their health information be sent to a third-party
- “Right to Access” applies when a patient requests that their health information be sent to a third party.
- “Right to Access” does not apply when the third party initiates the request.
Here are a sampling of questions we received as a result of the March 23rd Webinar:
Q: Are we required to fulfill ROI requests within a certain time period?
A: Yes, this guidance outlines that requests should be processed in a maximum of 30 days, unless there are extenuating circumstances that are explained to the patient. However, the guidance clarifies that because health information is more readily maintained in an electronic format, the OCR and HHS believe that processing the requests should occur much more quickly than the allotted 30-day period.
Q: Do states have a stricter rule that would prohibit us from sending PHI using an unsecure e-mail?
A: The guidance specifies that “Right to Access” defers to wherever the patient has the most access to their records. As such, this guidance allows for records to be sent in an unencrypted manner with the patient’s acknowledgement of the risks. Because the guidance perhaps provides more access than state-specific laws, the CE and BA should follow the guidance from the OCR and HHS. However, if a state law provides more access to health information for a patient, in those cases the CE and BA should follow their state-specific laws.
Q: Our practice currently doesn’t send PHI via email because we have a patient portal. Do we have to send it via email if the patient requests?
A: “Right to Access” specifies that if a patient requests their records be delivered in a certain format, the CE or BA should make every reasonable attempt to deliver the records in the requested format if possible. The guidance does reference that CE and BA organization should have access and be able to deliver records via email if requested. The OCR and HHS acknowledge than an exception may occur if the file size is too large to send by email. At that point, the CE or BA may work with the patient to determine another appropriate means to deliver the information.
Q: Will DataFile email records if they are requested to be provided that way?
A: Yes, DataFile will email records if the patient requests their information be delivered via email. As your Healthcare Data Expert partner, we act as an extension of your practice and have every intention of following along with your policies for email. We prefer and have the means to send the records in an encrypted format, but if the patient requests the records be sent via unencrypted email, we will work with you to share our best practices and implement a policy on your behalf for the patient’s acknowledgement.
Q: Although our email is secure, we can’t be certain the receiver’s email is secure.
A: Yes, that is correct. The guidance acknowledges that there are inherent risks in sending email, and specified that CE and BA organization address these risks in their Security Risk Analysis. If the patient requests that the email be sent unencrypted and acknowledges the possible risks which could occur in transmission or upon delivery, the CE or BA is relieved of the liability if an incident were to occur following hitting the “send” button.
Q: What about the per page fee associated with many state laws? Will DataFile still charge a per page fee?
A: DataFile will only charge a per page fee in instances in which the request for records does not originate from the patient or if records are requested to be provided to a recipient in a non-electronic medium. The recent FAQ establishes that these instances allow the charge for a reasonable, cost-based fee to patients and the state-based fees to other requestors.
Q: Is the $6.50 maximum fee a recommendation or a law? If a law, does it overrule state guidance regarding cost of ROI processing?
A: The $6.50 maximum is for electronic records requested to be provided electronically. This maximum is a clarification of previous legislation from the OCR and HHS and essentially should be treated as a law. “Right to Access” defers to the legislation that provides the greatest means for accessing records. That means if there is state legislation authorizing patient copies of their health information should be provided at no cost, the CE or BA should defer to that guidance rather than the $6.50 maximum.
Q: How does $6.50 take into account the need for quality and accuracy in terms of checking records over to insure the information is accurate and for that patient?
A: In short, it doesn’t. The $6.50 maximum for electronic copies of records maintained electronically is inclusive of all labor and supplies. The OCR and HHS offer guidance that the labor cost does not include “reviewing the request for access,” nor “searching for, retrieving, and otherwise preparing the responsive information,” nor reviewing the records “to identify the PHI that is responsive to the request and to ensure the information relates to the correct individual and to segregate, collect, compile and otherwise prepare the responsive information.” In other words, once those steps listed above are complete, the labor costs can initiate.
Q: Is this presentation available to print?
A: Yes, you can find a PDF of the slides here.
Stay tuned. DataFile will have ongoing information on this important topic. We thank you for your outpouring of support on this new development.